Why Twitter's new security won't keep you safe

Twitter has taken a welcome step to help protect its community members by switching everyone to a more secure way of browsing its website.

The company is flipping the switch to activate Secure HTTP, better known as https, for everyone. The secure version of the Web’s hypertext transfer protocol is mainly used on websites that carry sensitive data, such as those of financial institutions or e-commerce storefronts.

Other websites use https only while you’re logging in, as https is a little slower than the regular protocol used for browsing the Web. Twitter initially launched its https option last March.

If that all sounds a bit technical, here’s how it benefits you: When you’re using an unsecured wireless network at a coffee shop, library, or other public place, your Web activity is unprotected. Anyone who’s connected to the same network and has a little technical know-how can, in theory, “sniff” your traffic, hijack your logins, and start posting on your various accounts.

Ashton Kutcher fell victim to such an attack last March, when a hacker took over his Twitter account when they were online through the same network. At that point, Twitter hadn’t publicly launched secure browsing, it announced that it was available for users on its website, and soon offered it as an option in user settings.

How does https prevent such an attack? It does this by encrypting data as it’s sent between your computer and a website’s servers. While your Web activity is still visible over the air, a hacker would have to defeat the encryption to read any of it.

At a time when the security and privacy of Web communities are coming underscrutiny, Twitter’s latest move is one that’s largely been welcomed—especially by the more technically minded.

“Nice one Twitter!” wrote security expert Graham Cluley. Mikko Hyponnen, chief research officer at security company F-Secure, tweeted: “Sad day for Wi-Fi sniffers, good for users.”

However, it doesn’t completely solve the problem of hackers gaining access to Twitter accounts. In October, for instance, Twitter was forced to react when several high-profile accounts were compromised—attacks are more likely to have taken place through password hacking or illegitimate links which led to malware downloads.

Malware on your computer isn’t affected by https, and can track your keystrokes as you type a password.

Twitter has placed another bolt on your door, but it you’ve chosen an easily guessable password or use the same password on multiple sites, you’re making it easy for hackers to take over your account. There’s no point in locking down your door when you leave the bathroom window open.

If you are using an unsecured wireless network, make sure you have a strong password in addition to activating secure browsing on Twitter and other sites where possible. You’ll know whether a website uses secure browsing if you look at your browser’s address bar and see “https” at the beginning and a padlock next to it.

Meanwhile, if you only use the Twitter website while on a secured network (say, when you’re at home), you might not need to use https. In fact, it will slow you down when you want to use Twitter. In this case, you can disable the https option from your account settings. But unless you really need Twitter to be a few milliseconds faster, there’s no harm in keeping https activated.

Password hint: using “12345” to lock down your data doesn’t work, as Syrian government officials found out.